[WS-2909] Add hmac signing capabilities to request-validation module

Author: alexpopero

.gitignore

@@ -0,0 +1,2 @@
+target/**
+dump.rdb

src/lua/api-gateway/validation/factory.lua

@@ -96,6 +96,11 @@ local function _validateHmacSignature()
     return hmacSignatureValidator:validateSignature()
 end
 
+local function _generateHmacSignature()
+    local hmacSignatureValidator = HmacSignatureValidator:new()
+    return hmacSignatureValidator:generateSignature()
+end
+
 local function _validateOAuthToken()
     local oauthTokenValidator = OAuthTokenValidator:new()
     return oauthTokenValidator:validateRequest()
@@ -110,6 +115,7 @@ end
 return {
     validateApiKey = _validateApiKey,
     validateHmacSignature = _validateHmacSignature,
+    generateHmacSignature = _generateHmacSignature,
     validateOAuthToken = _validateOAuthToken,
     validateUserProfile = _validateUserProfile,
     validateRequest = _validateRequest,

src/lua/api-gateway/validation/signing/hmacGenericSignatureValidator.lua

@@ -43,6 +43,8 @@ local _M = BaseValidator:new()
 local RESPONSES = {
         MISSING_SIGNATURE   = { error_code = "403030", message = "Signature is missing"        },
         INVALID_SIGNATURE   = { error_code = "403033", message = "Signature is invalid"        },
+        MISSING_SOURCE      = { error_code = "400001", message = "Missing digest source"       },
+        MISSING_SECRET      = { error_code = "400002", message = "Missing digest secret"       },
         -- unknown error is not used at the moment
         UNKNOWN_ERROR       = { error_code = "503030", message = "Could not validate Signature"}
 }
@@ -69,6 +71,30 @@ function  _M:validateSignature()
     return self:exitFn(RESPONSES.INVALID_SIGNATURE.error_code, cjson.encode(RESPONSES.INVALID_SIGNATURE))
 end
 
+function  _M:generateSignature()
+    local source = ngx.var.hmac_sign_source_string
+    local secret = ngx.var.hmac_sign_secret or ngx.ctx.key_secret -- ngx.ctx.key_secret is set by api key validator
+    local algorithm = ngx.var.hmac_sign_method
+
+    if source == nil or source == '' then
+        ngx.log(ngx.WARN, "Invalid sign request. Missing source.")
+        return self:exitFn(RESPONSES.MISSING_SOURCE.error_code, cjson.encode(RESPONSES.MISSING_SOURCE))
+    end
+
+    if secret == nil or secret == '' then
+        ngx.log(ngx.WARN, "Invalid sign request. Missing secret.")
+        return self:exitFn(RESPONSES.MISSING_SECRET.error_code, cjson.encode(RESPONSES.MISSING_SECRET))
+    end
+
+    local hmac = RestyHMAC:new()
+    local digest = ngx.encode_base64(hmac:digest(algorithm, secret, self:getHmacSource(source), true))
+
+    self:debug(ngx.DEBUG, "Generate HMAC DIGEST WITH secret=" .. secret .. " Got digest " .. digest .. " for source " .. source)
+    ngx.var.generated_digest = digest
+
+    return self:exitFn(ngx.HTTP_OK)
+end
+
 -- method to be overriden in the super classes to return another source
 -- some implementations may choose to apply a lowercase or other transformations
 -- NOTE: the same can be achieved by using

src/lua/api-gateway/validation/validatorsHandler.lua

@@ -84,6 +84,12 @@ function ValidatorsHandler:getValidatorsList()
            }
        },
 
+       generate_hmac_signature = {
+           defaultProperties = {
+              path = '/generate_hmac_signature', order=2
+           }
+       },
+
        -- service_plan validator usually contains throttling limits
        validate_service_plan = {
             defaultProperties = {

src/lua/api-gateway/validation/validatorsHandlerErrorDecorator.lua

@@ -65,7 +65,10 @@ local DEFAULT_RESPONSES = {
         DELAY_CLIENT_ON_REQUEST = { http_status = 503, error_code = 503071, messsage = '', headers = { ["Retry_After"] = "300s" } , headers = { ["X-Request-Id"] = "ngx.var.requestId" }},
     -- CC Link validation
         INVALID_LINK        = { http_status = 403,  error_code = 403040, message = '{"error_code":"403040","message":"Invalid link"}' , headers = { ["X-Request-Id"] = "ngx.var.requestId" }},
-        LINK_NOT_FOUND      = { http_status = 404,  error_code = 404040, message = '{"error_code":"404040","message":"Link not found"}' , headers = { ["X-Request-Id"] = "ngx.var.requestId" }}
+        LINK_NOT_FOUND      = { http_status = 404,  error_code = 404040, message = '{"error_code":"404040","message":"Link not found"}' , headers = { ["X-Request-Id"] = "ngx.var.requestId" }},
+    -- Generate Hmac validators
+        MISSING_SOURCE      = { http_status = 400,  error_code = 400001, message = '{"error_code":"400001","message"="Missing digest source"}', headers = { ["X-Request-Id"] = "ngx.var.requestId" }},
+        MISSING_SECRET      = { http_status = 400,  error_code = 400002, message = '{"error_code":"400002","message"="Missing digest secret"}', headers = { ["X-Request-Id"] = "ngx.var.requestId" }}
     }
 
 local default_responses_array

test/perl/api-gateway/validation/signing/hmacGenericSignatureValidator.t

@@ -31,7 +31,7 @@ log_level('warn');
 
 repeat_each(2);
 
-plan tests => repeat_each() * (blocks() * 8) - 4;
+plan tests => repeat_each() * (blocks() * 9) + 10;
 
 my $pwd = cwd();
 
@@ -271,3 +271,109 @@ __DATA__
 [200,200,403,403,403,403]
 --- no_error_log
 [error]
+
+=== TEST 6: test HMAC signature validation and generation
+--- http_config eval: $::HttpConfig
+--- config
+        error_log ../test-logs/hmacGenericSignatureValidator_test6_error.log debug;
+        include ../../api-gateway/api_key_service.conf;
+        include ../../api-gateway/default_validators.conf;
+        # customize error response
+        set $validator_custom_error_responses '{
+               "MISSING_KEY"   :       { "http_status" : 403, "error_code" : 403000, "message" : "while (1) {}{\\"code\\":1033,\\"description\\":\\"Developer key missing or invalid\\"}" },
+               "INVALID_KEY"   :       { "http_status" : 403, "error_code" : 403003, "message" : "while (1) {}{\\"code\\":1033,\\"description\\":\\"Developer key missing or invalid\\"}" },
+               "INVALID_SIGNATURE"   : { "http_status" : 403, "error_code" : 403030, "message" : "while (1) {}{\\"code\\":1033,\\"description\\":\\"Call signature missing or invalid\\"}" },
+               "INVALID_SIGNATURE"   : { "http_status" : 403, "error_code" : 403033, "message" : "while (1) {}{\\"code\\":1033,\\"description\\":\\"Call signature missing or invalid\\"}" }
+        }';
+
+        location /validate-and-sign {
+            set $service_id 123456;
+
+            set $api_key $arg_api_key;
+            set_if_empty $api_key $http_x_api_key;
+            
+            set_by_lua $hmac_source_string 'return string.lower(ngx.var.request_method .. ngx.var.uri .. ngx.var.api_key)';
+            
+            set $hmac_target_string $arg_api_signature;
+            set $hmac_method sha1;
+
+            # Generate signature
+            set_by_lua $hmac_sign_source_string 'return string.lower(ngx.var.request_method .. ngx.var.uri)';
+            set $hmac_sign_method sha1;
+
+            set $validate_api_key on;
+            set $validate_hmac_signature on;
+            set $generate_hmac_signature on;
+            set $generated_digest "-";
+
+            access_by_lua "ngx.apiGateway.validation.validateRequest()";
+            content_by_lua 'ngx.say(ngx.var.generated_digest)';
+        }
+
+--- pipelined_requests eval
+[
+"POST /cache/api_key?key=sZ28nvYnStSUS2dSzedgnwkJtUdLkNdR&service_id=123456&secret=mO2AIfdUQeQFiGQq",
+"GET /validate-and-sign?api_key=sZ28nvYnStSUS2dSzedgnwkJtUdLkNdR&api_signature=XY1Y6BPr91I2gDbYmcahwA3mWzE=",
+# negative scenario: missing api-key
+"GET /validate-and-sign",
+# negative scenario: api_key present but invalid
+"GET /validate-and-sign?api_key=WRONG_KEY_WHICH_DOES_NOT_EXIST",
+# negative scenario: api_key is valid but the signature is not
+"GET /validate-and-sign?api_key=sZ28nvYnStSUS2dSzedgnwkJtUdLkNdR&api_signature=WRONG_SIGNATURE",
+# negative scenario: api_key is valid , missing signature
+"GET /validate-and-sign?api_key=sZ28nvYnStSUS2dSzedgnwkJtUdLkNdR"
+]
+--- response_body eval
+[
+"+OK\r\n",
+"5XPFapKr91/nLn3F+tzfkvSuE4A=\n",
+'while (1) {}{"code":1033,"description":"Developer key missing or invalid"}' . "\n",
+'while (1) {}{"code":1033,"description":"Developer key missing or invalid"}' . "\n",
+'while (1) {}{"code":1033,"description":"Call signature missing or invalid"}' . "\n",
+'while (1) {}{"code":1033,"description":"Call signature missing or invalid"}' . "\n"
+]
+--- error_code_like eval
+[200,200,403,403,403,403]
+--- no_error_log
+[error]
+
+=== TEST 7: test HMAC digest in isolation
+--- http_config eval: $::HttpConfig
+--- config
+        error_log ../test-logs/hmacGenericSignatureValidator_test7_error.log debug;
+        include ../../api-gateway/api_key_service.conf;
+        include ../../api-gateway/default_validators.conf;
+
+        location /generate_digest {
+            # Generate signature
+            set $hmac_sign_source_string $arg_source;
+            set $hmac_sign_secret $arg_secret;
+            set $hmac_sign_method sha1;
+
+            set $generate_hmac_signature on;
+            set $generated_digest "-";
+
+            access_by_lua "ngx.apiGateway.validation.validateRequest()";
+            content_by_lua 'ngx.say(ngx.var.generated_digest)';
+        }
+--- pipelined_requests eval
+[
+"GET /generate_digest?source=SignThisLikeYouOwnIt&secret=mO2AIfdUQeQFiGQq",
+"GET /generate_digest?source=SignThisLikeYouOwnIt",
+"GET /generate_digest?secret=mO2AIfdUQeQFiGQq",
+"GET /generate_digest"
+]
+--- response_body eval
+[
+"DYUCC7E/MCyn+aNcCb5EhM7OPDE=\n",
+'{"error_code":"400002","message"="Missing digest secret"}
+',
+'{"error_code":"400001","message"="Missing digest source"}
+',
+'{"error_code":"400001","message"="Missing digest source"}
+'
+]
+--- error_code_like eval
+[200, 400, 400, 400]
+--- no_error_log
+[error]

test/resources/api-gateway/default_validators.conf

@@ -61,6 +61,11 @@ location /validate_hmac_signature {
     content_by_lua 'ngx.apiGateway.validation.validateHmacSignature()';
 }
 
+location /generate_hmac_signature {
+    internal;
+    content_by_lua 'ngx.apiGateway.validation.generateHmacSignature()';
+}
+
 #
 # default OAuth Token validator impl along with the nginx variables it sets
 #